vibetrader

clawhub:vibetrader

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

100/100

LOW 2

Findings (2)

LOW

Runtime URL controlling behavior THIRDPARTY_001

third-party-content L33

Detects URLs fetched at runtime that control or influence agent behavior without pinning

Get your API key** from [vibetrader.markets/settings](https:// + settings

FIX

Avoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.

FP?

Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.

LOW

Hardcoded secrets in MCP env block MCPCFG_003

mcp-config L42

Detects hardcoded API keys, tokens, or passwords in MCP server environment configuration

"env": { + "VIBETRADER_API_KEY": "vt_your_api_key_here"

FIX

Remove shell metacharacters (semicolons, pipes, ampersands, backticks) from MCP server arguments. Use explicit argument arrays and avoid shell expansion in MCP configurations.

FP?

Likely FP if the metacharacter is a literal part of a non-shell argument (e.g., a regex pattern or a URL query parameter containing ampersands).